Hacked

[Edward Glowacki]

On Mon, 15 Jan 2001, Mike Szumlinski wrote:
> Someone just hacked my linux box. They replaced all the index.html files
> with their own little staple crap...
> 
> My box isn't all that secure I'm sure, but I'd like to know what logs to
> check to see if maybe I can figure out at least when they got in, and how.
> Did they piggyback on someone else? I don't know. Any help would be
> appreciated.
> 
> -Mike

Check everything in /var/log, especially messages.  Read through
it, look for unusual stuff.  Specifically you might look for:

* signs of port scanning (lots of denied requests to various services)
* lines that have lots of odd stuff in them (extra characters, line
noise, lots of spaces or AAAAAAAAA or anything that looks weird) that
might indicate some sort of buffer-overflow attack
* root logins at odd hours

Check your open ports ("netstat -an").

That's a start.  If you still don't find anything, I might be able
to come up with some more. =)

Maybe it's time for me to dig out my old "Securing Unix" presentation
again and present at a meeting.  Anyone interested?

-- 
Edward Glowacki			glowack2@msu.edu
Technical Support Services		
Michigan State University